Control of Multiple Locations
But what about those companies with multiple locations? How can they best handle the internal controls in a centralized manner?
The Auditing Standards Board has developed a draft of a decision tree that can aid in handling these situations.
Each locations controls must be evaluated within the overall organizations context. If there are location or entity-specific risks, the specific controls that deal with that specific risk must be evaluated.
It is not going to be acceptable under SarbOx to paper location-specific problems over with top-level policies.
Management will have to institute and test controls at the location or entity that generates the risk.
Avoiding material weaknesses
The first circumstance that would most likely to be considered by the SEC as an actionable material weakness under SarbOx is ineffective oversight by the companys audit committee of both a companys external financial reporting and its internal control over financial reporting.
Effective oversight by the companys board of directors, including its audit committee, is considered by the PCAOB to be an integral part of a companys monitoring of internal control.
The second circumstance is a material misstatement of an audited financial report, which was not detected by existing internal controls.
If a problem with a report is first discovered by an auditor, it points out that the internal controls that are in use are not effective.
If they were (according to SarbOx), then the material misstatement should not have occurred.
The third circumstance used by the PCAOB as a negative indicator is when significant deficiencies that have been communicated to management and the audit committee but remain uncorrected after a reasonable period of time.
Not all deficiencies will lead to material weaknesses in the internal controls.
But if they exist uncorrected after an appropriate time period, the control environment promulgated by those at the top of the management chain is deemed by the PCAOB to be sloppy and unresponsive.
The significance of a deficiency can change over time, and must not be ignored simply because it is not currently serious enough under SarbOx to cause the company CFO to be thrown into jail.
The SEC has a few words for you
Final Rule 17 CFR Part 210 of the SEC also makes some interesting reading for an IT department, when combined with the effects of part 802 of SarbOx.
The rule states that it "require accountants who audit or review an issuers financial statements to retain certain records relevant to that audit or review. These records include workpapers and other documents that form the basis of the audit or review, and memoranda, correspondence, communications, other documents, and records (including electronic records)
, which are created, sent or received in connection with the audit or review, and contain conclusions, opinions, analyses, or financial data related to the audit or review. To coordinate with forthcoming auditing standards concerning the retention of audit documentation, the rule requires that these records be retained for seven
years after the auditor concludes the audit or review of the financial statements, rather than the proposed period of five years from the end of the fiscal period in which an audit or review was concluded. As proposed, the rule addresses the retention of records related to the audits and reviews of not only issuers financial statements but also the financial statements of registered investment companies." (Emphasis has been added to the bolded section to make their context clearer.)
The bottom line is that much of a companys e-mail will have to be preserved for seven years.
But more than preserved, mail and its contents will also have to be accessible to auditors (and any risk management counselors) in a way that allows for rapid review by these persons.
The capability to rapidly retrieve and sort text-based information (such as e-mails) will be needed to implement the control systems SARBOX wishes to see put in place.
Next page: Making documents more reliable.